From today the UK's Information Commissioner's Office will begin enforcing the EU's revised ePrivacy Directive that requires website owners to be upfront with their users about the information they collect.
The so-called cookie law was implemented on 25 May 2011 by Brussels officials, but getting the legislation transposed …

COMMENTS

Page:

I reported one large UK educational organisation for persistently spamming me despite being asked to stop on five separate occasions (including once in writing). ICO's response was that they couldn't help despite the organisations concerned clearly having no understanding of how to operate and maintain their own database.

So my guess is that we'll hear of a few high profile cases in the papers of the ICO taking action, but for the rest the ICO will sit around going "not my problem mate".

Re: Bloody annoying

Maybe in the days of Netscape 4/IE 6 'something had to be done' but now every browser under the sun now comes with a reasonable set of cookie controls and if that's not enough there's Do Not Track which appears to be gaining traction and add-ons like ABP/NoScript/RequestPolicy et al...

This is why politicians shouldn't be allowed to legislate in technical matters. Just because they can't find the cookie options in the preferences dialog it doesn't mean that an area with a population of 400 million people + everyone who visits from outside that area should be badgered with fecking annoying pop ups saying 'ooh, we use a feature of HTTP headers that's been in use for about 15 years, are you really okay with that? By the way, if you can find the cookie controls, see you next time!'

And so the next popular add-on for browsers will be a technical solution which will identify the 'are you okay with that?' cookie and preserve it while disabling the rest or letting them get wiped when the browser closes.

Re: Bloody annoying

You, someone that understands technology, may well feel that way. The vast majority of people do not, yet many of them would be upset to find out just how much they are tracked and monitored across the internet.

There is no need for 90+ % of the cookies that collect in the browser, just take a look at the list that accumulates sometime. Cookies should be reserved for logins, basically. You can do most of the rest with session ids as parameters in a URL. These irritating popups (I have yet to see one) shouldn't be there either, until someone tries to use a function for which cookies are essential.

I mean, taking el reg as an example, why should anyone need a cookie to read the site? Other than those few of us that log in to make a comment, it seems completely unnecessary and serves to do nothing more than track people, which is unacceptable.

Re: Bloody annoying

Bloody annoying all right; El Reg's cookie pop-up keeps popping up on iPhone despite having already clicked I'm Fine With This every time, and I'm sure it won't be long till this is happening everywhere, and with confusion and uncertainty comes opportunity for mischief.

Re: Bloody annoying

@Liam - Why bother with session parameters at all most of the time? Just why are sessions even tracked on most sites? Seriously, unless you are an online shop or an account based service, there's no need, and the negatives of cookies outweigh the positives.

I'll say it again - why the hell does a site like el reg need to use cookies unless people want to log in and comment? For the other (larger) part of the user base, there's just no need.

@Dan - When 'Do Not Track' is actually respected by the shadier side of the advertising business (i.e. Never) then that's a fine solution. Until then, yes a lot can be done with session ids in URL parameters (which I don't believe went out in the 90s), and in a hell of a lot of cases there's just no need for a cookie in the first place.

Re: Bloody annoying

Like the Reg "The Register uses cookies. Some may have been set already...blah blah blah...If you continue to use the site, we'll assume you're happy to accept the cookies anyway" I delete all cookies when I exit the browser, I set my browser to ask before accepting cookies. So yes, by the time this box pops up I have said ok, so could you please remove that grey bar at the botton of the page without me having to click on it. I mean, its not as though these modern wide screens have an excess of vertical pixels is it.

Still not as bad as the BBC site which wastes 5+ lines at the top of the page so I have to scroll down to read the content.

@David

From the user's point of view nothing can be done with session IDs in the URL as if you delete them by hand they keep coming back and if you share the link with someone else or a search bot crawls your site it's a possible security problem.

However properly managing the cookie permissions allow you to reject session IDs on a per site basis if you really want to. Otherwise you can wipe them on exit.

The shadier side of the net can track you with flash cookies, DOM storage, local DB, history sniffing and more. They are only going to take advantage of the 'are you okay with this' message to install malware as someone mentioned here. Do you think premium SMS scammers and 070 fraudsters and the like respect the TPS and Ofcom?

Far better to push for DNT as in the states (and it's not often I say something like that) than annoy everyone with messages that give the impression that 'cookies are bad, m'kay'.

A perfectly good solution to a technical problem (storing state using a stateless protocol) has now been made clumsy to use by clumsy legislation, not just in the UK but across the whole of the EU.

Re: @Dan

WHY DO YOU NEED STATE?

Why is nobody going to answer this question - why in hell's name does a site like the regneed to bother with state for anyone other than logged in users? Why do 90% of the sites out there set multiple cookies when I'm just passing through to read something?

Sure, session ID's could be a security risk if used for sensitive things, nobody's suggesting you can't use cookies where you actually need to, for user accounts and purchasing operations. How many of the sites that set cookies do you think actually use them for this?

If I leave my browser unprotected it quickly accumulates hundreds to thousands of cookies of cookies. I but from maybe three sites, and have user accounts at another ten at most. The rest of the cookies are for tracking of various forms and these are what the legislation aims to reduce, an operation which I'm 100% behind.

Re: @David

Re: @David

I think El Reg and every other site are perfectly entitled to find out which areas on the page/headlines/stories generate most clicks on their own site. If you don't agree with that then you can disable cookies for that site's domain. In addition many 'top stories now' boxes/tickers/false windows on the page/pretty effects to increase the site's appeal need to store temporary data somehow.

There really doesn't need to be a giant warning on every website, it doesn't help the end user in any way.

Re: @David

Giving the client a reasonable set of privacy controls allows the user to make decisions, works for both legitimate and dodgy sites, and doesn't make browsing clumsy.

Mandating messages on the server side doesn't really allow the user to make decisions (it's just 'we need cookies to work, click here to agree' or some sites like BT will give you server-side cookie controls that really are more transparently covered to the user with client-side controls, and remember if the user is interested enough to find server-side controls then they will certainly have already found the client-side controls which have the advantage of working for every site and being standard for that browser not dependent on the server), only works for legitimate sites, and makes browsing clumsy.

Some people like the features I've mentioned. Try and use an AJAX web mail service without them. Just because you miss the days of Mosaic doesn't mean it should be inflicted on everyone by law. If politicians ever hear about the other features I've listed above that dodgy sites could use then we might as well turn off the Internet because browsing is going to turn into a form of masochism.

Just because you maintain that the lack of a message might trip up a dodgy site or two doesn't mean that it's necessary to inconvenience the users who use the vast majority of legitimate sites. Do you really think they're going to bring down e.g. The Pirate Bay over this when they've been going for years? What does the directive allow EU governments to do as a sanction for not complying? Fine them (if they can be found). Not take down the site. Not put the owners in prison.

Re: @Dan

Trouble is, the legislation is toothless. Look at the BBC site: the important cookies, that is the ones which track you as an individual, are described as "essential" and no opt-out is permitted.

Mind you, El Reg isn't any better: "Click the button to accept our cookies. And by not clicking the button, you still accept our cookies". So much for informed "consent".

I predict there is now going to be a huge market in new browser add-ons which block all cookies except specific static ones which say you've accepted cookie policies - thus making the whole business of browsing far more tedious than it ever was before.

ICO just a figurehead

I get the impression that the ICO just seems to be only interested in pursuing large companies and organisations in order to create a nice headline splash. I once reported someone that I used to work for as a driver, as he was in the habit of persistently passing on other drivers' personal details to other drivers and third parties without permission. Got pretty well nil response there from the ICO. He also passed on MY details (address, etc.) to one of the notorious, so-called private parking enforcement companies that got on the gravy train, instead of passing the paperwork directly to me to deal with. I reported this also and the ICO said is was OK to do this if the person concerned suspected that there may be follow-up legal action, which sounds distinctly vague and like some sort of get-out to me. Preposterous. Incidentally, I ignored the parking company's threats and allegations and never got any more correspondence from them. Just a try-on.

Annoying

I'm already mighty pissed of with the directive causing lots of pop ups on just about every she I visit. Effing irritating. Another nail in the coffin for the eu as people find out how much its laws actually affect them - for no real benefit.

Re: Does El Reg really think its compliant?

Re: Does El Reg really think its compliant?

Rather than being motivated by compliance it looks to me as though the new regulations have provided an excuse for a nag banner with the aim of getting more readers to turn off cookie blocking, thus increasing advertising revenue.

Re: Does El Reg really think its compliant?

Re: Does El Reg really think its compliant?

The only way to turn the banners off on most sites is to allow a cookie, looking at the scripts some sites run (which I allow), they will put this banner up until you allow them to set cookies. Others like elreg have put it into the html so greasemonkey or something to strip it out. Should be easy enough although some like the bbc are not displaying the banner if I block all their cookies.

Re: Does El Reg really think its compliant?

Sounds like, for many sites, we'll have a choice: accept tracking, or effectively censor what we see simply on the basis of not wanting to be tracked. Sounds much more appropriate for the Soviet Union.

Imagine if public libraries were like this. "Yes, you can browse, but some of the books you can only open if you agree to the authors/publishers/distributors/advertisers tracking you." Or bookshops, or newsagents. You get to the till. "Before we sell you this book, you'll need to agree to being tracked. You don't have to agree, but if you do still buy this book, we'll assume that you do agree anyway."

What next? Compulsory supermarket loyalty cards? Except they won't be compulsory. You just won't be able to buy anything without them.

Re: Does El Reg really think its compliant?

It is more than that. There is a request from El Reg asking about cookies (with, I note (as do others) no NO option). So, okay, we are nice, we like El Reg, we write comments, so we grant permission to them (and, note, THEM alone) to store cookies.

El Reg carries advertising. The website is still in breach because the advertisers never asked, never provided an opt-out, and god knows would likely never be granted permission by the masses.

This legislation is a farce if it thinks El Reg asking counts also for the unknown quantity of unknown advertisers in unknown countries collecting unknown data who neither care about nor are obliged to respect El Reg's privacy policy. Put simply, El Reg (and others) just don't have the moral right to ask this question on behalf of (undisclosed) third parties.

In essence all you seem to need to do currently is put up a privacy policy and state what cookies are used (including 3rd party ones) and tell people how to block cookies if they want. Or if you're more paranoid, then you could do like www.bt.com at the very bottom of their pages.

Beyond that it's pretty much a useless piece of legislation and £500,000 fines...yeah right!

Accept malware

This site uses cookies. Some may have been set already. Read About Managing our cookies. Please click here to unwittingly accept the installation of malware on your machine under the guise of accepting cookies.

This is going to be a dream for botnets!

It will be safer to install a browser extension to automatically accept genuine cookie requests to prevent my 9 & 11 year old users from filing their machine with dross. Are these cookie requests going to be certified?

Re: Pop up blocker

How this should have been done

Mandate that all new browsers should have an easy button to click to list all cookies in use on a given site, their contents, expiry terms, and (if technically feasible) a description of what they are. Whilst I'm as much against evil ad networks as the next guy, ultimately this is locally stored information, over which the user must take some personal responsibility and accountability - but mandating some simple tools that would work for all websites would sound better to me.

Typically with these things, it's going to take some (expensive) test cases before anyone really knows for sure what the ICO wants or is trying to get out of this.

Re: How this should have been done

@Gaz Davidson

*Better than that*

Every browser should have a tool for managing cookies...

Oh no wait.

Not just me or has the EU actually broken the internet with it's obtrusive popups - and likely broken accessibility too (which would put any site that fancies complying with this law in breech of other law)? Hey lets take a div and ram some content into it with what is in effect a legal notice. Yeah great plan that'll work.

Maybe if they EU had bothered to model the solution they might have noticed the fact that they were fecking everything up. Thumbs up if like me you have sites and no intention of complying even if it ends up in court.